EMC VNX Series. Security Configuration Guide for VNX. Version VNX1, VNX2 P/N REV. 04

Transcription

1 EMC VNX Series Version VNX1, VNX2 Security Configuration Guide for VNX P/N REV. 04

2 Copyright EMC Corporation. All rights reserved. Published in USA. Published August, 2015 EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. EMC², EMC, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners. For the most up-to-date regulatory document for your product line, go to EMC Online Support ( EMC Corporation Hopkinton, Massachusetts In North America VNX1, VNX2 Security Configuration Guide for VNX

3 CONTENTS Preface 7 Chapter 1 Introduction 9 Overview User interface choices Terminology Related features and functionality information Unisphere management suite related white papers Chapter 2 Access Control 15 Access control settings...16 Security for management access Authentication Unisphere authentication...17 VNX for block CLI authentication VNX for file CLI authentication User scope...19 Authentication with LDAP or Active Directory Default accounts User actions performed without authentication Component authentication (block) Authorization Main Unisphere roles Data Protection roles...23 Component access controls Component authorization...25 VNX for file CLI role-based access...25 Windows-styled credentials for UNIX users...26 Protecting session tokens CIFS Kerberos authentication NFS security settings...26 Access policies for NFS and CIFS Data security settings...27 Data integrity Encryption of data at rest Password policy Physical security controls Login banner and message of the day Chapter 3 Logging 29 Log settings...30 Audit logging on a VNX for block system...30 VNX and RSA Envision Auditing on a VNX for file system...31 Data at Rest Encryption audit logging VNX1, VNX2 Security Configuration Guide for VNX 3

4 CONTENTS Chapter 4 Communication Security 33 Communication security settings...34 Port usage...34 Ports used by Unisphere components on VNX for block How VNX for file works on the network...35 Defense in depth...36 Network services on VNX for file Session timeout on VNX for file Private networks VNX for file primary network services...37 VNX for file outgoing network connections Network encryption SSL configuration on VNX unified/file systems Using HTTPS...57 Using SSL with LDAP SSL certificates Connecting to the directory server using SSL Planning considerations for Public Key Infrastructure on VNX for file...59 Personas...60 Certificate Authority (CA) certificates Using the Control Station as the CA Customer-Supplied Certificates for Control Station...62 IP packet reflect on VNX for file systems Effect of filtering management network vsphere Storage API for Storage Awareness (VASA) support Special configurations...64 Proxy servers...64 Unisphere client/server and NAT Other security considerations...64 Chapter 5 Data Security Settings 67 Data at Rest Encryption overview...68 Data at Rest Encryption feature activation Rebooting Storage Processors through Unisphere Rebooting Storage Processors through VNX OE for Block CLI Encryption status Backup keystore file...71 Data in place upgrade Hot spare operations...74 Adding a disk drive to a VNX with encryption activated...74 Removing a disk drive from a VNX with encryption enabled Replacing a chassis and SPs from a VNX with encryption enabled Chapter 6 Security Maintenance 77 ESRS on Control Station ESRS Device Client on Storage Processor...78 ESRS IP Client...79 Secure serviceability settings (block) Secure remote support considerations Security-patch management...80 Malware detection VNX1, VNX2 Security Configuration Guide for VNX

5 CONTENTS Chapter 7 Advanced Management Capabilities 83 Remote management Internet Protocol version 6 (IPv6) addressing for a management port...84 Support for VLAN tagging SNMP management...84 Management support for FIPS Appendix A Secure deployment and usage settings 87 Implementing Unisphere in secure environments Appendix B SSL/TSL cipher suites 91 Supported SSL/TLS cipher suites Appendix C LDAP-based directory server configuration 97 Active Directory Users & Computers...98 Ldap Admin...99 Appendix D VNX for file CLI role-based access 103 CLI role-based access setup Appendix E VNX for file CLI security configuration operations 113 Configuring password policy Define password policy interactively Define specific password policy definitions Set password expiration period Configuring session timeout Change the session timeout value Disable session timeout Protect session tokens Configuring network encryption and authentication using the SSL protocol. 116 Using HTTPS on VNX for file Using SSL with LDAP on VNX for file Change the default SSL protocol Change the default SSL cipher suite Postrequisites Configuring PKI Creating the certificate provided by the persona Using the Control Station as the CA Obtaining CA certificates Generate a key set and certificate request Send the certificate request to the CA Import a CA-signed certificate List the available CA certificates Acquire a CA certificate Import a CA certificate Generate a new Control Station CA certificate Display the certificate Distribute the Control Station CA certificate Request and Install Customer-Supplied Certificates for Control Station VNX1, VNX2 Security Configuration Guide for VNX 5

6 CONTENTS Managing PKI Display key set and certificate properties Check for expired key sets Clear key sets Display CA certificate properties Check for expired CA certificates Delete CA certificates Customize a login banner Create a MOTD Restrict anonymous root login Locking accounts after a specific number of failed logins Index VNX1, VNX2 Security Configuration Guide for VNX

7 Preface As part of an effort to improve and enhance the performance and capabilities of its product lines, EMC periodically releases revisions of its hardware and software. Therefore, some functions described in this document may not be supported by all versions of the software or hardware currently in use. For the most up-to-date information on product features, refer to your product release notes. If a product does not function properly or does not function as described in this document, please contact your EMC representative. Special notice conventions used in this document EMC uses the following conventions for special notices: DANGER Indicates a hazardous situation which, if not avoided, will result in death or serious injury. WARNING Indicates a hazardous situation which, if not avoided, could result in death or serious injury. CAUTION Indicates a hazardous situation which, if not avoided, could result in minor or moderate injury. NOTICE Addresses practices not related to personal injury. Presents information that is important, but not hazard-related. Where to get help EMC support, product, and licensing information can be obtained as follows: Product information For documentation, release notes, software updates, or for information about EMC products, licensing, and service, go to EMC Online Support (registration required) at Troubleshooting Go to EMC Online Support at After logging in, locate the applicable Support by Product page. Technical support For technical support and service requests, go to EMC Customer Service on EMC Online Support at After logging in, locate the applicable Support by Product page, and choose either Live Chat or Create a service request. To open a service request through EMC Online Support, you must have a valid support agreement. Contact your EMC sales representative for details about obtaining a valid support agreement or with questions about your account. VNX1, VNX2 Security Configuration Guide for VNX 7

8 Preface Do not request a specific support representative unless one has already been assigned to your particular system problem. Your comments Your suggestions will help us continue to improve the accuracy, organization, and overall quality of the user publications. Please send your opinion of this document to: techpubcomments@emc.com 8 VNX1, VNX2 Security Configuration Guide for VNX

9 CHAPTER 1 Introduction This chapter briefly describes a variety of security features implemented on the VNX. Topics include: Overview User interface choices Terminology Related features and functionality information Unisphere management suite related white papers Introduction 9

10 Introduction Overview EMC VNX implements a variety of security features to control user and network access, monitor system access and use, and support the transmission of encrypted data. The security features related to VNX for file are implemented on the Control Station and Data Movers. The security features related to VNX for block are implemented on the storage processors. This document provides information about features and configuration options that are available for configuring secure system operation and storage processing. It explains why, when, and how to use these security features. A basic understanding of these features is important to understanding VNX security. This document is part of the VNX documentation set and is intended for administrators responsible for the overall configuration and operation of VNX. Related features and functionality information on page 12 lists publications that are related to the features and functionality described in this document. This document is pertinent to systems running the following software: VNX operating environment (OE) for file versions 7.1 and 8.x VNX OE for block versions 5.32 and 5.33 Exceptions are noted where applicable. User interface choices VNX offers flexibility in managing networked storage that is based on your support environment and interface preferences. This document describes how to set and manage security features using the EMC Unisphere software. The Unisphere online help contains more information about configuring and managing your VNX. You can also perform these tasks using the EMC Unisphere Management interface. The command line interface (CLI) is different for file-based and block-based services. The EMC VNX Command Line Interface Reference for Block describes the CLI commands used to configure and manage a VNX for block system. The EMC VNX Command Line Interface Reference for File describes the CLI commands used to configure and manage a VNX for file system. Also, Using VNX for File CLI for security configuration related operations on page 113 contains detailed information about using the CLI scripts to configure security on the VNX for file. The VNX Release s contain additional, late-breaking information about VNX management applications. Terminology 10 VNX1, VNX2 Security Configuration Guide for VNX The VNX Glossary provides a complete list of VNX terminology. access control entry (ACE): In a Microsoft Windows environment, an element of an access control list (ACL). This element defines access rights to an object for a user or group. access control list (ACL): A list of access control entries (ACEs) that provide information about the users and groups allowed access to an object. access policy: The policy that defines what access control methods (NFS permissions and/or Windows ACLs) are enforced when a user accesses a file on a VNX for file system in an environment configured to provide multiprotocol access to some file systems. The access policy is set with the server_mount command and also determines what actions a user can perform against a file or directory. authentication: The process for verifying the identity of a user trying to access a resource or object, such as a file or a directory.

11 Introduction Certificate Authority (CA): A trusted third party that digitally signs public key certificates. Certificate Authority Certificate: A digitally signed association between an identity (a Certificate Authority) and a public key to be used by the host to verify digital signatures on Public Key Certificates. command line interface (CLI): An interface for entering commands through the Control Station to perform tasks that include the management and configuration of the database and Data Movers and the monitoring of statistics for the VNX for file cabinet components. Common Internet File System (CIFS): A file-sharing protocol based on the Microsoft Server Message Block (SMB). It allows users to share file systems over the Internet and intranets. Control Station: A hardware and software component of the VNX for file system that manages the system and provides an administrative user interface to VNX for file components. Data Mover: A VNX for file cabinet component running its own operating system that retrieves files from a storage device and makes them available to a network client. directory server: A server that stores and organizes information about a computer network's users and network resources, and that allows network administrators to manage users' access to the resources. X.500 is the best-known open directory service. Proprietary directory services include Microsoft s Active Directory. Hypertext Transfer Protocol (HTTP): The communications protocol used to connect to servers on the World Wide Web. Hypertext Transfer Protocol Secure (HTTPS): HTTP over SSL. All network traffic between the client and server system is encrypted. In addition, there is the option to verify server and client identities. Typically server identities are verified and client identities are not. Kerberos: An authentication, data integrity, and data privacy encryption mechanism used to encode authentication information. Kerberos coexists with NTLM (Netlogon services) and, using secret-key cryptography, provides authentication for client/server applications. LDAP-based directory: A directory server that provides access by LDAP. Examples of LDAP-based directory servers include OpenLDAP or Oracle Directory Server Enterprise Edition. Lightweight Directory Access Protocol (LDAP): An industry-standard information access protocol that runs directly over TCP/IP. It is the primary access protocol for Active Directory and LDAP-based directory servers. LDAP Version 3 is defined by a set of Proposed Standard documents in Internet Engineering Task Force (IETF) RFC Logical Unit Number (LUN): The identifying number of a SCSI or iscsi object that processes SCSI commands. The LUN is the last part of the SCSI address for a SCSI object. The LUN is an ID for the logical unit, but the term is often used to refer to the logical unit itself. Network File System (NFS): A distributed file system providing transparent access to remote file systems. NFS allows all network systems to share a single copy of a directory. OpenLDAP: The open source implementation of an LDAP-based directory service. persona: A means of providing an identity for a Data Mover as either a server or a client through a private key and associated public key certificate. Each persona can maintain up to two sets of keys (current and next), to allow for the generation of new keys and certificates prior to the expiration of the current certificate. public key certificate: An electronic ID issued by a certificate authority. It contains the identity (a hostname) of the user or other entity such as a service, a serial number, expiration dates, a copy of the certificate holder's public key (used for encrypting Terminology 11

12 Introduction messages and digital signatures), and a digital signature from the certificate-issuing authority so that a recipient can verify that the certificate is valid. For more information, refer to the X.509 standard. Public Key Infrastructure (PKI): A means of managing private keys and associated public key certificates for use in Public Key Cryptography. Simple Network Management Protocol (SNMP): Method used to communicate management information between the network management stations and the agents in the network elements. Secure Socket Layer (SSL): A security protocol that provides encryption and authentication. It encrypts data and provides message and server authentication. It also supports client authentication if required by the server. Storage Processor (SP): A hardware and software component of the VNX for block system that runs its own operating system and manages the system and provides an administrative user interface to VNX for block components. Transport Layer Security (TLS): The successor protocol to SSL for general communication authentication and encryption over TCP/IP networks. TLS version 1 is nearly identical with SSL version 3. X.509: A widely used standard for defining digital certificates. XML API : An interface for remotely managing and monitoring a VNX for file. The interface uses XML formatted messages, and is programming language neutral. Related features and functionality information Specific information related to the features and functionality described in this document is included in: EMC VNX Command Line Interface Reference for File EMC VNX Command Line Interface Reference for Block Man pages for File Parameters Guide for VNX VNX Glossary Installing Management Applications on VNX for File Configuring and Managing CIFS on VNX Configuring NFS on VNX Managing a Multiprotocol Environment on VNX Configuring VNX Naming Services Using VNX FileMover Configuring Events and Notifications on VNX for File Configuring and Managing Networking on VNX Configuring and Using the Audit Tool on Celerra and VNX for File Technical EMC Secure Remote Support for VNX Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Using nas_stig Utility on VNX 12 VNX1, VNX2 Security Configuration Guide for VNX The complete set of EMC VNX customer publications is available on the EMC Online Support website at After logging in to the website, click the Support by Product page, to locate information for the specific feature required.

13 Introduction For general information on LDAP, refer to: RFC 2307, An Approach for Using LDAP as a Network Information Service For specific information on Active Directory s LDAP and SSL configuration, refer to: Microsoft Knowledge Base article How to enable LDAP over SSL with a third-party certification authority (ID ) For specific information on OpenLDAP and SSL configuration, refer to the OpenLDAP website ( If you are using a different non-active Directory LDAP-based directory server, refer to that vendor s documentation for information on LDAP and SSL configuration. Unisphere management suite related white papers White papers address major aspects of the Unisphere Management Suite, including domain management. These white papers supplement the standard Unisphere administrator and user documentation. Related white papers on page 13 lists these white papers with a brief overview. The white papers can be found on the EMC Online Support website at EMC's password-protected customer- and partner-only extranet. Table 1 Related white papers White paper EMC Unisphere: Unified Storage Management Solution Domain Management with VNX storage systems Description This white paper provides an overview of EMC Unisphere, the single management interface for VNX systems, and legacy CLARiiON and Celerra systems. It discusses all the features in Unisphere and lists the features supported by Unisphere v1.0, v1.1, and v This paper discusses the configuration and management of EMC storage systems within a single storage Domain and across multiple domains using Unisphere software. Unisphere management suite related white papers 13

14 Introduction 14 VNX1, VNX2 Security Configuration Guide for VNX

15 CHAPTER 2 Access Control This chapter describes a variety of access control features implemented on the VNX for file/unified and VNX for block systems. Topics include: Access control settings...16 Security for management access Authentication Authorization Component access controls Data security settings...27 Password policy Physical security controls Login banner and message of the day Access Control 15

16 Access Control Access control settings Unisphere programs use different strategies to authenticate users; this prevents unauthorized users from accessing VNX systems. These strategies are described in the following sections. Both Unisphere and CLI provide the same level of security with encrypted, authenticated communications. Security for management access On any VNX storage system, the following management applications can be used to access the system: Unisphere - One of the two main applications you use to configure, monitor, and manage VNX systems. Unisphere is a web-based GUI that can be launched by pointing the browser to the IP address of either the Control Station or the Storage Processors (SPs). Command Line Interface (CLI) - The other main program you use to manage VNX systems. The CLI is separate for block and file services. Block CLI can be installed and run from any host that has network connectivity to the VNX. File CLI can be accessed by opening a remote session to the Control station using SSH. Unisphere Service Manager (USM) - This software allows you to update, install and maintain VNX system hardware and software as well as provide contact and system information to your service provider. Unisphere Host Agent or server utility - These optional software programs run on SANattached hosts. Their main function is to help communicate host attributes and LUN/ volume mappings to the storage system. Unisphere Initialization Utility - This optional software allows you to initialize VNX for block systems and network settings from a workstation. VNX Installation Assistant (VIA) - This software allows you to initialize VNX unified (block and file) and VNX for file systems and network settings from a workstation. SNMP management software - This optional software allows you to monitor the state of VNX systems. Admsnap and admhost - These optional management utilities help you manage SnapView and SAN Copy replication objects. Remote support services - Remote EMC support is available for VNX systems. Many customers use this customer service software to allow EMC to help them configure and monitor their systems. Unisphere Server software - This software executes the storage management functions described in this guide. In this guide, this software is also called the storage management server. This software is pre-installed on VNX SPs and Control Station. This software can optionally be installed on Windows XP or Windows Server. As shown in VNX Management components on page 17, the various components communicate with the VNX system by both in-band and out-of-band. In-band communication travels over the data connection to the VNX system, while out-of-band communication travels over the management connection to the VNX system. 16 VNX1, VNX2 Security Configuration Guide for VNX

17 Access Control Figure 1 VNX Management components It is imperative that management access to the VNX is controlled and limited to authorized users and applications. To secure management access, VNX implements the following main functions: Authentication - Identify who is making a request. Authorization - Determine if the requestor has the right to exercise the request. Privacy - Protect against snooping of data. Trust - Verify the identity of communicating parties. Audit - Keep a record of who did what, and when. Authentication Management applications on a VNX system use authentication to prevent unauthorized users from accessing the system. Unisphere authentication Unisphere authenticates users by using usernames and passwords. In Unisphere, the administrator can create user accounts with easy-to-use dialog boxes. When you connect to Unisphere through the browser on your computer, a Java applet is delivered to your browser. The applet establishes a secure connection over SSL/TLS with the storage management server (software that executes the storage management functions) on the VNX through port 443. Even though is not displayed in the browser, the connection is secure. EMC recommends that you connect to Unisphere through (port 443), although for VNX for block it is possible to connect through (port 80). Authentication 17

18 Access Control On a Control Station, all HTTP management traffic directed to port 80 will be redirected automatically to the HTTPS port (443). When you start a session, Unisphere prompts you for a username, password, and scope (local, global, or LDAP). These credentials are encrypted and sent to the storage management server. The storage management server then attempts to find a match within the user account information. If a match is found, you are identified as an authenticated user. VNX for block CLI authentication VNX for file CLI authentication If authentication fails, you can attempt to retry authenticating from the same IP address a maximum of six times. If the sixth attempt fails, the system will block any authentication attempt from the same IP address for four minutes; that is, the system will not respond to another attempt for four minutes. The failure count clears when an initial authentication succeeds or a new authentication attempt succeeds four minutes after the previous failures. With the exception of VNX gateways, the storage management server also uses authentication and encryption when communicating with other storage management servers. Communication between storage management servers occurs when information is replicated throughout the domain. For example, when user account information changes, the information is replicated to each instance of the storage management server in the domain. VNX for block CLI requires that user credentials be passed with each command. You can provide user credentials in either of the following ways: You can provide credentials with each command. You can use the addusersecurity command to create a file on the host that stores user credentials. If you enter a VNX for block CLI command without credentials, the CLI gets your credentials from this file and sends your credentials with the command. If you do not explicitly include your credentials with CLI commands, this security file must contain valid Unisphere credentials. This file is stored in your home directory and its contents are encrypted. This file and its encryption key are protected by access control lists (ACLs) and a machine-specific pass phrase. For VNX for file CLI, you need to connect by remote terminal using SSH into the Control Station and log in to the Control station using either a local or global account, or an account with LDAP authentication using SSH. There are two default local accounts on the Control Station (discussed in Default accounts on page 21) or you can create a new local account for this purpose. Logging in to the system using the Control Station CLI When a domain-mapped user logs in to the Control Station CLI, the domain name provided must match the domain name or fully qualified domain name known to VNX OE for File. The supported domain-mapped user login formats for LDAP domain-mapped users are: 18 VNX1, VNX2 Security Configuration Guide for VNX

19 Access Control <domain name>\<user> (for example, mycompany\anne) name> (for example, The domain name can be specified as the fully qualified domain name. For example: <fully qualified domain name>\<user> (for example, mycompany.com\anne) qualified domain name> (for example, Users can only log in under a single domain. Consequently, mycompany and mycompany.com are treated as the same domain. The supported domain-mapped user login formats for storage domain-mapped users are: storagedomain\<user> (for example, storagedomain\anne) <user>@storagedomain (for example, anne@storagedomain) storagedomain is a case-sensitive keyword, not a variable, and you must type it exactly as shown. User scope User accounts on a storage management server can have one of three scopes: Local - This user can access only a single VNX. Global - This user can access the entire Unisphere domain. LDAP - This user has an account in the LDAP directory, and can access any storage system that uses the LDAP server to authenticate users. The local scope is ideal when access to a single VNX is required. Users with global scope are easier to manage because you can use one account to access all VNX storage systems within a Unisphere domain. Users with LDAP scope are the most flexible because the accounts are not specific to the storage systems. There may be duplicate usernames with different scopes. For example, a user "Sarah" with a global scope is different from a user "Sarah" with an LDAP scope. Authentication with LDAP or Active Directory The storage management server can authenticate users against directory servers, such as Active Directory (Active Directory is Microsoft's directory server), using LDAP or LDAPS. Authentication against an LDAP server simplifies management because you do not need a separate set of credentials for VNX storage system management. It is also more secure because enterprise password policies can be enforced identically for the storage environment and the server environment. Managing an LDAP Domain (file/unified and block) In a VNX domain, the same LDAP server is used for both file/unified and block setup. To manage an LDAP domain, log in to Unisphere and use All Sysems > Domains > Users (task list) > Manage LDAP Domain to define server connections, accept or validate the related certificates, and map user group roles. As an alternative method, you can select a system, and then use Settings > Security Settings (task list) > Manage LDAP Domain. After this one-time setup, logins to Unisphere or CLI can be authenticated with an LDAP account. For more information about how to set up connection to an LDAP server, refer to the Unisphere online help. User scope 19

20 Access Control LDAP service configuration options Managing an LDAP Domain (gateway) To manage an LDAP configuration for a VNX gateway system, log in to Unisphere and select your system, and then use Settings > Security Settings (task list) > Manage LDAP Domain to configure the Control Station so it can access the LDAP-based directory server. For more information about how to set up connection to an LDAP server, refer to the Unisphere online help. After this one-time setup, where Unisphere is configured with connection information for the LDAP server and Unisphere roles are mapped to LDAP groups, logins to Unisphere or CLI can be authenticated with an LDAP account. For a VNX gateway system, LDAP configuration information is specific to the VNX gateway system and is not replicated to any other system. Before Unisphere or CLI can authenticate LDAP users, it must be configured to communicate with the LDAP service. Unisphere allows you to add the IP addresses and LDAP connection parameters of the LDAP servers. You will need to obtain the LDAP connection parameters from the LDAP service administrator. When configuring the LDAP service in Unisphere, note the following best practices: For highly available communications with the LDAP service, create service connections with two LDAP servers. If one of the servers is unavailable, the storage management server will send the authentication request to the secondary LDAP server. For the highest levels of security, configure the service connections to use the LDAPS protocol if your LDAP server supports it. This will ensure that all communication between the storage management server and the LDAP server is encrypted with SSL/TLS so that no user credentials are sent in plain text. The LDAP configuration needs to be performed only once for each Unisphere domain; the configuration will be replicated to all other nodes within the domain. Role mapping Once communications are established with the LDAP service, specific LDAP groups must be given access to Unisphere by mapping them to Unisphere roles. The LDAP service only performs the authentication. Once authenticated, the user's authorization is determined by the assigned Unisphere role. The most flexible configuration is to create LDAP groups that correspond to Unisphere roles. This allows you to control access to Unisphere by managing the members of the LDAP groups. LDAP user level role mapping that is related to storage processors (SPs) and Unisphere roles can be configured by using the VNX for block CLI. See the VNX Command Line Interface (CLI) Reference for Block for more information. For example, assume that there is an LDAP group called "Storage Admins" of which Bob and Sarah are members. Another LDAP group exists called "Storage Monitors" of which Mike and Cathy are members. The "Storage Admins" group can be mapped to the Unisphere Administrator role, giving Bob and Sarah full control of the storage systems. The "Storage Monitors" group can be mapped to the Unisphere Operator role, giving Mike and Cathy read-only access to the storage systems. If six months later Mike becomes a more trusted administrator, he can be given full access to the storage systems (Administrator role) simply by adding him to the "Storage Admins" LDAP group. 20 VNX1, VNX2 Security Configuration Guide for VNX

21 Access Control Credential caching and account synchronization (block) Default accounts Authentication configuration The storage management server locally caches credentials for an LDAP user once the user has been authenticated. This caching minimizes traffic to the LDAP service and enhances the user experience by eliminating latency due to authentication requests. Keep in mind that the storage management server authenticates all commands that modify the storage system configuration and not just at login. Caching eliminates redundant authorization requests to the LDAP server. By default, Unisphere will clear the local cache every 24 hours to force synchronization with the accounts on the LDAP server. In an environment where user accounts are changing often and credentials need to be flushed, this synchronization interval may be tuned down to 30 minutes without noticeable performance impact. Alternatively, manual synchronization forces an immediate clearing of the local cache. This is useful if an employee is terminated and their access to the storage system needs to be removed in a timely fashion. Default accounts exist for management access and service access. Default Management Accounts - See Authentication configuration on page 21 for information on default management accounts and how to change the related passwords. Default Service Accounts - Default combinations exist for the management port and service port for access by EMC service personnel. EMC strongly encourages you to change the management port username/password combination (see Secure serviceability settings (block) on page 79 for more details). Service personnel will need the username and password, so be prepared to disclose this information. Security is initialized differently for VNX unified/file and VNX for block systems. VNX unified/file systems will have the following management accounts factory installed: root - This is a VNX for file local account and provides root-level privileges on the control station. nasadmin - This is a VNX for file local account and provides administrator level privileges on the control station. sysadmin - This is a global system account and provides administrator level privileges for both VNX for file and VNX for block. A system account is a special global account that is needed for internal communication between block and file services. VNX unified/file systems require at least one system account. You cannot delete this system account unless another global administrator account or global security administrator account is available. VNX Installation Assistant (VIA) is the utility for initializing VNX unified/file systems. EMC recommends to change the default password for the three accounts when first initializing a VNX unified/file system using VIA. VNX for block systems do not have any default management accounts. The Unisphere Initialization wizard is the utility used for initializing VNX for block systems. Security can be initialized on VNX for block systems in the following ways: User can choose to create a global account when initializing the system using Unisphere Initialization wizard. User can create a global account when first logging into Unisphere. A system account is not created by default on VNX for block systems because it is not needed; however, adding another VNX unified/file system to the VNX for block system's Default accounts 21

22 Access Control local domain would require a system account and the user will be prompted accordingly to create a system account. For all VNX systems (VNX unified/file and VNX for block), at least one global account is required. This account must have the "administrator" or "security administrator" role. An LDAP server(s) can be configured if LDAP authentication is desired, and other global or local accounts can also be created. Security functions having to do with configuring authentication can be performed either from Unisphere or secure CLI. User actions performed without authentication Component authentication (block) Authorization Main Unisphere roles VNX systems will not permit any actions without authentication. SCSI's primary authentication mechanism for iscsi initiators is the Challenge Handshake Authentication Protocol (CHAP). CHAP is an authentication protocol that is used to authenticate iscsi initiators at target login and at various random times during a connection. CHAP security consists of a username and password. You can configure and enable CHAP security for initiators and for targets. Log in to Unisphere and use All Systems > System List and right-click the entry for the storage system for which you want to configure CHAP, then use > iscsi > CHAP Management. To enable CHAP, select your system and then use Settings > Network > Settings for Block. For more information on configuring and enabling CHAP, refer to the Unisphere online help. The CHAP protocol requires initiator authentication. Target authentication (mutual CHAP) is optional. The Storage Management Server authorizes user activity based on the role of the user. A role is a collection of access privileges that provides the account administrator with a simple tool for assigning access rights. Unisphere and VNX for file CLI authorize user activity based on the role of the user. VXN for block CLI is based on user credential authentication. Unisphere roles include eight main roles (Operator, Network Administrator, NAS Administrator, SAN Administrator, Storage Administrator, Administrator, Security Administrator, and VM Administrator) and three Data Protection roles (Local Data Protection, Data Protection and Data Recovery). The main Unisphere roles and data protection roles can have global or local scopes. The main roles include: 22 VNX1, VNX2 Security Configuration Guide for VNX Operator - Read-only privilege for storage and domain operations; no privilege for security operations. Network Administrator - All operator privileges and privileges to configure DNS, IP settings, and SNMP. NAS Administrator - Full privileges for file operations. Operator privileges for block and security operations. SAN Administrator - Full privileges for block operations. Operator privileges for file and security operations.

23 Access Control Data Protection roles Storage Administrator - Full privileges for file and block operations. Operator privileges for security operations. Security Administrator - Full privileges for security operations including domains. Operator privileges for file and block operations. Administrator - Full privileges for file, block, and security operations. This role is the most privileged role. VM Administrator - Enables you to view and monitor basic storage components of your VNX system through vcenter by using VMware's vsphere Storage APIs for Storage Awareness (VASA). The combination of Security Administrator and Storage Administrator privileges is equivalent to those of an Administrator. As a security and system integrity best practice, superusers (administrators in Unisphere) should not run with full administrative privileges for day-to-day operations. The security administrator role should be used to segment authorized actions between separate accounts. By dividing administrative privileges into security administrator and storage administrator roles, storage administrator accounts will be authorized only to perform storage related actions, and security administrator accounts will only be authorized to perform domain and security related functions. With the security administrator role, accounts with full administrative privileges can be reduced to one and duties can be separated for day-to-day operations. Unisphere requires the creation of user accounts, where a user account is identified as the unique combination of username, role, and scope. This ability provides flexibility in setting up user accounts. It is expected that most IT personnel will be assigned a global operator account so they can monitor every storage system in the domain. Also, they can be assigned local storage administrator accounts for each specific storage system they are authorized to configure. You can create global user accounts, each with privileges appropriate to their responsibilities. To create new global user accounts in your local domain, log in to Unisphere and use All Systems > Domains > Users (task list) > Manage Global Users. Alternatively, select your system, and then use Settings > Security > User Management (task list) Global Users. You can only access the global users feature from Settings if your selected system is a system in your local domain. You can create local user accounts for file and block systems, each with privileges appropriate to their responsibilities. A local user for block can only manage block features on the local system. Similarly, a local user for file can only manage file server features on the local system. To create new local user accounts for block, log in to Unisphere and select your VNX for block system, and then use Settings > User Management (task list) Local Users for Block. To create new local user accounts for file, log in to Unisphere and select your VNX for file system, and then use Settings > User Management (task list) Local Users for File. For more information on creating user accounts, refer to the Unisphere online help. Data Protection (Replication) tasks are often performed by third-party personnel. In the earlier releases, a user needed storage administrator-level privileges to perform data protection tasks; however, allowing third-party personnel this level of access could pose a security threat. To solve this problem, VNX systems have three Data Protection roles: Data Protection roles 23

24 Access Control None of these roles allows the user to create new data protection objects such as snapshots, clones, SAN Copy sessions, or mirrors. The user can control only existing data protection objects. Users can view the domain for objects that they cannot control; this allows them to have a fuller understanding of their environment. Local Data Protection - Has privileges only to do SnapView (snapshots and clones) and Snapsure (Checkpoints) tasks; however, data recovery operations like rollback a snapshot or reverse synchronize a clone are not allowed. Also, this role does not have privilege to create new storage objects. Data Protection - Includes all local data protection privileges, MirrorView, and SAN Copy tasks; however, data recovery tasks such as promoting a secondary and fracturing a mirror are not allowed. Also, this role does not have privilege to create new storage objects. Data Recovery - Includes all local data protection and data-protection role privileges and the ability to do data recovery tasks; however, this role does not have privilege to create new storage objects. Capabilities of data protection roles on page 24 lists the data protection tasks and which roles have privilege to perform those tasks. VNX for File CLI role-based access on page 103 provides detailed information about how role-based access is used to determine which of the VNX for file CLI commands (task) a particular user can execute. Table 2 Capabilities of data protection roles Task Local data protection Data protection Data recovery Snapview Start a (consistent) snap session Yes Yes Yes Stop a (consistent) snap session Yes Yes Yes Activate a session to a snapshot LUN Yes Yes Yes Deactivate a session from a snapshot LUN Yes Yes Yes Synchronize a clone Yes Yes Yes Fracture a clone Yes Yes Yes Roll back a snap session No No Yes Reverse synchronize a clone No No Yes Mirrorview Synchronize a mirror / consistency group No Yes Yes Fracture a mirror / consistency group No No Yes Control the update parameters of an asynchronous mirror Modify the update frequency of an asynchronous mirror No Yes Yes No Yes Yes 24 VNX1, VNX2 Security Configuration Guide for VNX

25 Access Control Table 2 Capabilities of data protection roles (continued) Task Local data protection Data protection Data recovery Throttle a mirror / consistency group No Yes Yes Promote a synchronous or asynchronous secondary mirror / consistency group No No Yes SAN Copy Start a session No Yes Yes Stop a session No Yes Yes Pause a session No Yes Yes Resume a session No Yes Yes Mark a session No Yes Yes Unmark a session No Yes Yes Verify a session No Yes Yes Throttle a session No Yes Yes Component access controls Component authorization VNX for file CLI role-based access Component access control settings define access to the product by external and internal systems or components. A storage group is an access control mechanism for LUNs. It segregates groups of LUNs from access by specific hosts. When you configure a storage group, you identify a set of LUNs that will be used by only one or more hosts. The storage system then enforces access to the LUNs from the host. The LUNs are presented only to the hosts in the storage group, and the hosts can see only the LUNs in the group (LUN masking). To configure a storage group, select your system and then use Host > Storage Groups. For more information on configuring a storage group, refer to the Unisphere online help. IP filtering adds another layer of security by allowing administrators and security administrators to configure the storage system to restrict administration access to specified IP addresses. These settings can be applied to the local storage system or to the entire domain of storage systems. See Secure serviceability settings (block) on page 79 for more details about IP filtering. The administrative user account you use to access the command line interface is associated with specific privileges, also referred to as roles. A role defines the privileges (operations) a user can perform on a particular VNX object. The ability to select a predefined role or define a custom role that gives a user certain privileges is supported for users who access VNX through the CLI, EMC Unisphere, and the XML API. Component access controls 25

26 Access Control VNX for File CLI role-based access on page 103 provides detailed information about how role-based access is used to determine which of the VNX for file CLI commands a particular user can execute. Windows-styled credentials for UNIX users Protecting session tokens CIFS Kerberos authentication NFS security settings Access policies for NFS and CIFS VNX for file allows you to create a common Windows-style (NT) credential. Users therefore have the same credentials regardless of their file access protocol, providing more consistent access control. Managing a Multiprotocol Environment on VNX describes how to configure this feature. The connection between a user and Unisphere and between two VNX for file systems uses SHA1 to generate checksums to protect the session tokens (cookies) that identify users after they log in. The SHA1 secret value used to generate the checksums is set at random during installation; however, to enhance security, you can change the default SHA1 secret value. When you change this value, existing session tokens (cookies) are no longer valid and current users of Unisphere will have to log in again. You must be root to modify Control Station properties. Refer to Protect session tokens on page 116 for detailed information. By default, VNX for file allows both Kerberos and NTLM authentication. Since Kerberos is now the recommended authentication method in Windows environments, you may want to disable NTLM authentication. The server_cifs man page describes how to configure this setting and Configuring and Managing CIFS on VNX describes authentication. Although generally regarded as a vulnerable file-sharing protocol, you can make NFS more secure by using the following configuration settings: Defining read-only access for some (or all) hosts Limiting root access to specific systems or subnets Hiding export and mount information if a client does not have mount permissions for the file system corresponding to that entry In addition, if strong authentication is required, you can configure Secure NFS, which uses Kerberos. Configuring NFS on VNX describes how to configure these settings. All NFS exports are displayed by default. To hide NFS exports, you must change the value of the forcefullshowmount for mount facility parameter using the server_param command. The VNX for file set of customizable access modes allow you to choose the best possible interaction between NFS and CIFS access for your environment. Managing a Multiprotocol Environment on VNX describes how to configure this feature. You can select how security attributes are maintained and the type of interaction between NFS and CIFS users including: NATIVE UNIX 26 VNX1, VNX2 Security Configuration Guide for VNX